Explore vulnerabilities organized by type and attack vector
Categories group vulnerabilities by how an attacker exploits them — input manipulation, memory corruption, authentication bypass, and more. This makes it straightforward to reason about your attack surface rather than an undifferentiated list of findings.
Each category aligns to OWASP Top 10 entries and CWE identifiers, so engineers can map findings directly to compliance frameworks without manual cross-referencing. Useful when you need to demonstrate coverage to auditors or a security team.
Every category page links to real fix PRs Orbis AppSec opened in open-source repositories, showing exact before/after patches. Not a generic advisory — a worked example you can reference when fixing the same pattern in your own code.
Memory corruption vulnerabilities from writing beyond allocated buffers
Database query manipulation through untrusted input
Injecting malicious scripts into web pages viewed by users
Arbitrary system command execution through shell manipulation
Accessing files outside intended directories
Issues with user identity verification and session management
Access control and permission vulnerabilities
Weak encryption, insecure key management, and crypto misuse
Use-after-free, double-free, and memory leak vulnerabilities
Various injection vulnerabilities beyond SQL and command injection
Categories follow attack vector groupings aligned to OWASP Top 10 and CWE classifications. This makes it easy to map findings to compliance frameworks like SOC 2, PCI DSS, and HIPAA, while keeping the categories intuitive for developers who need to understand the nature of a flaw.
Coverage varies by language. SAST rules run across 10+ languages including Python, JavaScript, TypeScript, Go, Java, Ruby, and C/C++. Memory-safety categories (buffer overflow, use-after-free) apply mainly to C, C++, and Rust. Injection categories apply broadly across languages.
Orbis AppSec achieves roughly a 90% reduction in false positives compared to rule-only scanners by using AI to validate context before flagging an issue. The AI checks whether a code path is actually reachable with attacker-controlled input before raising a finding, and every finding includes a written explanation of why it is a real vulnerability.
Yes. For most categories Orbis AppSec automatically opens a GitHub pull request containing the fix. The PR includes a before/after diff, an explanation of the vulnerability, and references to the relevant CWE. The developer reviews and merges — no manual research or patch writing required.
Join thousands of developers who trust Orbis AppSec to find and fix vulnerabilities before they become problems. Get started in under 2 minutes.